4-OP-H-32 Gramm Leach Bliley Act (GLB) Policy

Responsible Executive: Information Security and Privacy Office

Approving Official: Vice President for Finance and Administration

Effective Date: March 1, 2024

Revision History: No revisions at this time.

  1. INTRODUCTION

    1. OVERVIEW AND PURPOSE

      The Gramm Leach Bliley Act (“GLB” or “Act”) is intended to improve many aspects of financial services regulation, including adding privacy and security requirements for nonpublic personal information provided by customers of financial institutions (15 U.S.C §§ 6801-6809).   GLB is the commonly used name for the Financial Services Modernization Act of 1999.

      GLB affects any financial institution that provides a financial product or service to a customer and establishes rules for financial institutions to safeguard and protect the privacy of confidential customer financial information.  Higher education institutions are required to comply with GLB because such institutions are often significantly engaged in lending funds to consumers and/or participate in loan activities regulated by GLB.

      The Standards for Safeguarding Customer Information (“Safeguards Rule”) is a GLB regulation adopted by the Federal Trade Commission in December 2021. The amended rule includes additional requirements for protecting consumer information regulated by the Act and removes certain exceptions.   The effective date for most changes made to the rule is June 9, 2023.  
       

    2. SCOPE

      Florida State University (“FSU” or “University”) colleges, departments, or divisions performing a financial service or providing a financial product or collecting or maintaining consumer personally identifiable information or personally identifiable financial information regulated by GLB are required to comply with this policy. 

    3. DEFINITIONS

      Affiliate means any company that controls, is controlled by, or is under common control with another company.

      Collect means to obtain information that you organize or can retrieve by the name of an individual or by identifying number, symbol, or other identifying particular assigned to the individual, irrespective of the source of the underlying information.

      Company means any corporation, limited liability company, business trust, general or limited partnership, association, or similar organization.

      Consumer means an individual who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes, or that individual's legal representative.

      Customer means a consumer who has a customer relationship with a financial institution.

      Customer information means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of a financial institution or its affiliates.

      Encryption means the transformation of data into a form that results in a low probability of assigning meaning without the use of a protective process or key, consistent with current cryptographic standards and accompanied by appropriate safeguards for cryptographic key material.

      Financial institution means any institution the business of which is engaging in an activity that is financial in nature or incidental to such financial activities as described in section 4(k) of the Bank Holding Company Act of 1956, 12 U.S.C. § 1843(k). An institution that is significantly engaged in financial activities, or significantly engaged in activities incidental to such financial activities, is a financial institution.   Financial institution does not include entities not significantly engaged in performing regulated financial activities or engaged in activities incidental to financial activities regulated by GLB.  Examples of entities not significantly engaged in financial activities are as follows:

      1. An entity is not a financial institution merely because it accepts payment in the form of cash, checks, or credit cards that it did not issue.
      2. An entity or merchant is not a financial institution merely because it allows an individual to “run a tab.” 
      3. An entity or store is not a financial institution merely because it allows individuals to whom it sells products to cash a check or write a check for a higher amount than the product purchase and obtain cash in return.

      Financial product or service means any product or service that a financial holding company could offer by engaging in a financial activity under section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 1843(k)).  Financial service includes evaluation or brokerage of information that is collected in connection with a request or an application from a consumer for a financial product or service.

      Information security program means the administrative, technical, or physical safeguards you use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.

      Information system means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information containing customer information or connected to a system containing customer information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental controls systems that contains customer information or that is connected to a system that contains customer information.

      Multi-factor authentication means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; (2) Possession factors, such as a token; (3) Inherence factors, such as biometric characteristics.

      Nonpublic personal information means (i) Personally identifiable financial information; and (ii) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

      Nonpublic personal information does not include: (i) Publicly available information, except as included on a list described in paragraph (l)(1)(ii) of 16 C.F.R. § 314.2; or (ii) Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.

      For example, nonpublic personal information includes any list of individuals' names and street addresses that is derived in whole or in part using personally identifiable financial information (that is not publicly available), such as account numbers.

      Nonpublic personal information also does not include any list of individuals' names and addresses that contains only publicly available information, is not derived, in whole or in part, using personally identifiable financial information that is not publicly available, and is not disclosed in a manner that indicates that any individual on the list is a consumer of a financial institution.

      Penetration testing means a test methodology in which assessors attempt to circumvent or defeat the security features of an FSU information system by attempting penetration of databases or controls from outside or inside the university information technology environment or university information systems.

      Personally identifiable financial information means any information: (i) A consumer provides to you to obtain a financial product or service from you; (ii) About a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (iii) the university otherwise obtains about a consumer in connection with providing a financial product or service to that consumer.

      Personally identifiable financial information includes: (i) Information a consumer provides to you on an application to obtain a loan, credit card, or other financial product or service; (ii) Account balance information, payment history, overdraft history, and credit or debit card purchase information; (iii) The fact that an individual is or has been one of your customers or has obtained a financial product or service from you; (iv) Any information about your consumer if it is disclosed in a manner that indicates that the individual is or has been your consumer;  (v) Any information that a consumer provides to you or that you or your agent otherwise obtain in connection with collecting on, or servicing, a credit account; (vi) Any information you collect through an internet “cookie” (an information collecting device from a web server);  (vii) Information from a consumer report.

      Personally identifiable financial information does not include: (i) A list of names and addresses of customers of an entity that is not a financial institution; (ii) Information that does not identify a consumer, such as aggregate information or blind data that does not contain personal identifiers such as account numbers, names, or addresses.

      Protected financial information means (i) data or information a student or other third-party provides in order to obtain a financial product or service from FSU, (ii) data or information about a student or other third-party resulting from any transaction with FSU involving a financial product or service, or (iii) data or information otherwise obtained about a student or other third-party in connection with providing a financial product or service to that person.

      Publicly available information means any information that is lawfully made available to the general public from: (i) Federal, state, or local government records, (ii) Widely distributed media, (iii) Disclosures to the general public that are required to be made by federal, state, or local law.  (16 C.F.R. Part 314.2(o))

      Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to this policy.
       

  2. POLICY
    1. This policy designates the FSU Chief information Security Officer (CISO) to oversee and implement the University information security program.  Units required to comply with GLB are required to adopt and participate in the information security program.  Units and users are required to comply with the 4-OP-H-20 Information Technology Security and Information Assurance Policy and its supplemental standards in their use of FSU’s IT resources and periodically evaluate, and when necessary, adjust responsibilities associated with the information security program based on the results of testing and monitoring of safeguards, key controls, systems, and procedures.
    2. University unit  information security managers and unit privacy coordinators established in  the Information Technology Security and Information Assurance Policy are responsible for coordinating unit activities needed to maintain compliance with GLB safeguard and privacy requirements. For those units participating in the University’s Seminole Secure program, the GLB incident response, risk assessment, and vulnerability assessment policy requirements may be met as a part of fulfilling their responsibilities in accordance with the policy and related standards if such units incorporate GLB regulated functions or data in the Seminole Secure activities referenced herein.   
    3. Higher education institutions are deemed in compliance with GLB privacy requirements in so much as the institution maintains compliance with Family Education Rights and Privacy Act (FERPA) privacy requirements per (12 C.F.R. § 1016.1(b)(2)(ii)).    
    4. University units that perform a GLB regulated function or collect or maintain GLB regulated consumer protected financial information must comply with the following requirements when dealing with any record containing such financial information whether in paper, electronic, or other form which is handled or maintained by or on behalf of FSU or its affiliates:  
      1. Implement reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for customer information regulated by GLB. 
      2. Oversee and contractually require service providers to implement GLB safeguards by establishing terms and conditions for service providers who process, store, or transfer consumer protected financial information, and ensure such contracts include provisions requiring service providers to comply with 16 C.F.R. (Code of Federal Regulations) Part 314, and if applicable, 16 C.F.R. Part 313.
      3. Provide a clear and conspicuous notice that reflects the privacy policies and practices of the University unit. 
      4. Conduct and utilize written risk-assessments for mitigating, accepting, or transferring internal and external risks, including relevant third-party service provider risks, that are identified.   Design and implement safeguards needed to control risks that have been identified.  
      5. Ensure risk assessments consider the following areas relevant to the University unit’s GLB compliance responsibilities: (i) employee training & management, (ii) information systems, including network and software design, (iii) information processing, storage, transmission, and disposal, (iv) detection, prevention, and response to attacks, intrusions, or system failures.
      6. Assist in the development of written reports delivered by the CISO or designee to the University board on at least an annual basis.  
      7. Conduct annual penetration tests and twice annual vulnerability assessments needed to comply with GLB requirements.  
      8. Document a comprehensive incident response plan. 
      9. Encrypt protected financial information when at rest and in transit or alternatively implement effective compensating controls for safeguarding such information if encryption is not feasible to implement. 
      10. Establish and implement multifactor authentication (MFA) and related authorization and access controls needed to implement the “principle of least privilege” for systems that process, receive, store, or transmit protected financial information in compliance with privileged access management requirements. 
      11. Establish and implement data retention controls which securely dispose of customer data within 2 years of last use unless retention of such data is required for valid University business reasons.
      12. Adopt and implement policies and procedures for change management and monitoring and logging authorized and unauthorized user activity.
      13. Adopt secure development practices for in-house developed applications utilized to transmit, access, or store customer information and adopt procedures for evaluating and testing the security of externally developed applications used to access, store, or transmit such customer information.

  3. POLICY VIOLATIONS

    Personnel who fail to comply with the requirements of this policy, or any supplemental policies, requirements, or standards published by the University may be subject to other penalties and disciplinary action. University disciplinary action is governed under the Disciplinary Guidelines published by the FSU Office of Human Resources. Unauthorized or fraudulent use of university data or computing resources may result in criminal prosecution.

  4. LEGAL AUTHORITY, JUSTIFICATION, AND REVIEW OF THIS POLICY

    Privacy of Consumer Financial Information – 16 C.F.R. Part 313 (§§ 313.1 – 313.17)
    Standards for Safeguarding Customer Information – 16 C.F.R. Part 314 (§§ 314.1 – 314.6)
    Security of Confidential Personal Information – Chapter 501.171, Florida Statutes

    Review 
    This policy shall be reviewed by the Chief Information Security Officer seven (7) years from the date of initial establishment, or when determined to be necessary based on changes in the federal or state law, rules, or regulations.